跟据“无狗脱彩虹3.X”一文,今天找来一个软件试。如下:
0170B465 /74 6A je short 0170B4D1 =====这里就是要JMP的地方
0170B467 |A1 84F07101 mov eax, dword ptr [171F084]
0170B46C |48 dec eax
0170B46D |8BC8 mov ecx, eax
0170B46F |8D0480 lea eax, dword ptr [eax+eax*4]
0170B472 |8D0480 lea eax, dword ptr [eax+eax*4]
0170B475 |8D0441 lea eax, dword ptr [ecx+eax*2]
0170B478 |8D0445 30E07101 lea eax, dword ptr [eax*2+171E030]
0170B47F |05 14060000 add eax, 614
0170B484 |8985 88FEFFFF mov dword ptr [ebp-178], eax
0170B48A |833D 02E67101 0>cmp dword ptr [171E602], 0
0170B491 |74 27 je short 0170B4BA
0170B493 |A1 2CEB7101 mov eax, dword ptr [171EB2C]
0170B498 |8985 38FCFFFF mov dword ptr [ebp-3C8], eax
0170B49E |6A 40 push 40
0170B4A0 |B8 30E07101 mov eax, 0171E030
0170B4A5 |05 D6050000 add eax, 5D6
0170B4AA |50 push eax
0170B4AB |8B85 88FEFFFF mov eax, dword ptr [ebp-178]
0170B4B1 |50 push eax
0170B4B2 |6A 00 push 0
0170B4B4 |FF95 38FCFFFF call dword ptr [ebp-3C8]
0170B4BA |C705 10EB7101 0>mov dword ptr [171EB10], 1
0170B4C4 |A1 30EB7101 mov eax, dword ptr [171EB30]
0170B4C9 |8945 F4 mov dword ptr [ebp-C], eax
0170B4CC |6A 01 push 1
0170B4CE |FF55 F4 call dword ptr [ebp-C]
0170B4D1 \A1 5EEA7101 mov eax, dword ptr [171EA5E] ====来到这里!!往下看
0170B4D6 3305 ACE07101 xor eax, dword ptr [171E0AC]
0170B4DC A3 0CEB7101 mov dword ptr [171EB0C], eax
0170B4E1 A1 0CEB7101 mov eax, dword ptr [171EB0C]
0170B4E6 A3 E6E27101 mov dword ptr [171E2E6], eax
0170B4EB 66:C785 64FEFFF>mov word ptr [ebp-19C], 0
0170B4F4 EB 07 jmp short 0170B4FD
0170B4F6 66:FF85 64FEFFF>inc word ptr [ebp-19C]
0170B4FD 8B85 64FEFFFF mov eax, dword ptr [ebp-19C]
0170B503 25 FFFF0000 and eax, 0FFFF
0170B508 83F8 1E cmp eax, 1E
0170B50B 7D 18 jge short 0170B525
0170B50D 8B85 64FEFFFF mov eax, dword ptr [ebp-19C]
0170B513 25 FFFF0000 and eax, 0FFFF
0170B518 C70485 C4E07101>mov dword ptr [eax*4+171E0C4], -1
0170B523 ^ EB D1 jmp short 0170B4F6
0170B525 833D 00E07101 0>cmp dword ptr [171E000], 0
0170B52C 75 36 jnz short 0170B564
0170B52E 833D A4E07101 0>cmp dword ptr [171E0A4], 0
0170B535 74 16 je short 0170B54D
0170B537 A1 44E07101 mov eax, dword ptr [171E044]
0170B53C 3305 56E07101 xor eax, dword ptr [171E056]
0170B542 3305 EAE27101 xor eax, dword ptr [171E2EA]
0170B548 8945 F0 mov dword ptr [ebp-10], eax
0170B54B EB 0D jmp short 0170B55A
0170B54D A1 EAE27101 mov eax, dword ptr [171E2EA]
0170B552 35 B67583ED xor eax, ED8375B6
0170B557 8945 F0 mov dword ptr [ebp-10], eax
0170B55A 8B45 F0 mov eax, dword ptr [ebp-10]
0170B55D F7D0 not eax
0170B55F A3 00E07101 mov dword ptr [171E000], eax
0170B564 8D85 68FEFFFF lea eax, dword ptr [ebp-198]
0170B56A A3 ECEA7101 mov dword ptr [171EAEC], eax ======在这条之后就不同了,请问下面是不是花指令照成的!如何去除?
0170B56F E9 65030000 jmp 0170B8D9
0170B574 7A 03 jpe short 0170B579
0170B576 7B 01 jpo short 0170B579
0170B578 56 push esi
0170B579 E9 39050000 jmp 0170BAB7
0170B57E 90 nop
0170B57F 72 03 jb short 0170B584
0170B581 73 01 jnb short 0170B584
0170B583 16 push ss
0170B584 A1 56EA7101 mov eax, dword ptr [171EA56]
0170B589 3385 6BFEFFFF xor eax, dword ptr [ebp-195]
0170B58F A3 5AEA7101 mov dword ptr [171EA5A], eax
0170B594 75 03 jnz short 0170B599
0170B596 74 01 je short 0170B599
0170B598 36:8B85 6CFEFFF>mov eax, dword ptr [ebp-194]
0170B59F 8985 10FCFFFF mov dword ptr [ebp-3F0], eax
0170B5A5 6A 08 push 8
0170B5A7 8D85 68FEFFFF lea eax, dword ptr [ebp-198]
0170B5AD 50 push eax
0170B5AE B8 08E07101 mov eax, 0171E008
0170B5B3 83C0 04 add eax, 4
0170B5B6 50 push eax
0170B5B7 E8 5CD4FFFF call 01708A18
0170B5BC 83C4 0C add esp, 0C
0170B5BF C705 08E07101 0>mov dword ptr [171E008], 0
0170B5C9 C705 14E07101 0>mov dword ptr [171E014], 0
0170B5D3 833D 4EEA7101 0>cmp dword ptr [171EA4E], 0
0170B5DA 74 5A je short 0170B636
0170B5DC 7C 03 jl short 0170B5E1
0170B5DE 7D 01 jge short 0170B5E1
0170B5E0 3D C785C4FE cmp eax, FEC485C7
0170B5E5 FFFF ??? ; 未知命令
0170B5E7 EF out dx, eax
0170B5E8 A1 70017603 mov eax, dword ptr [3760170]
0170B5ED 77 01 ja short 0170B5F0
0170B5EF 76 FF jbe short 0170B5F0
0170B5F1 B5 C4 mov ch, 0C4
0170B5F3 FE ??? ; 未知命令
0170B5F4 FFFF ??? ; 未知命令
0170B5F6 7E 03 jle short 0170B5FB
0170B5F8 7F 01 jg short 0170B5FB
0170B5FA 2164FF 35 and dword ptr [edi+edi*8+35], esp
0170B5FE 0000 add byte ptr [eax], al
0170B600 0000 add byte ptr [eax], al
0170B602 79 03 jns short 0170B607
0170B604 78 01 js short 0170B607
0170B606 136489 25 adc esp, dword ptr [ecx+ecx*4+25]
0170B60A 0000 add byte ptr [eax], al
0170B60C 0000 add byte ptr [eax], al
0170B60E 75 03 jnz short 0170B613
0170B610 74 01 je short 0170B613
0170B612 36:B8 00000000 mov eax, 0
0170B618 C600 01 mov byte ptr [eax], 1
0170B61B 76 03 jbe short 0170B620
0170B61D 77 01 ja short 0170B620
0170B61F ^ 76 8B jbe short 0170B5AC
0170B621 04 24 add al, 24
0170B623 72 03 jb short 0170B628
0170B625 73 01 jnb short 0170B628
0170B627 E8 64A30000 call 01715990
0170B62C 0000 add byte ptr [eax], al
0170B62E 79 03 jns short 0170B633
0170B630 78 01 js short 0170B633
0170B632 36:83C4 08 add esp, 8
0170B636 E8 930E0000 call 0170C4CE
0170B63B 85C0 test eax, eax
0170B63D 75 05 jnz short 0170B644
0170B63F E9 B7040000 jmp 0170BAFB
0170B644 833D 62EA7101 0>cmp dword ptr [171EA62], 0
0170B64B 74 0A je short 0170B657
0170B64D E8 2FD1FFFF call 01708781
0170B652 A3 B0EA7101 mov dword ptr [171EAB0], eax
0170B657 C705 5AEA7101 0>mov dword ptr [171EA5A], 0
0170B661 6A 08 push 8
0170B663 6A 00 push 0
0170B665 8D85 68FEFFFF lea eax, dword ptr [ebp-198]
0170B66B 50 push eax
0170B66C E8 29320000 call 0170E89A
0170B671 83C4 0C add esp, 0C
0170B674 79 03 jns short 0170B679
0170B676 78 01 js short 0170B679
0170B678 B4 C7 mov ah, 0C7
0170B67A 85D8 test eax, ebx
0170B67C FE ??? ; 未知命令
0170B67D FFFF ??? ; 未知命令
0170B67F - E9 030000EB jmp EC70B687
0170B684 011C8D 8584FEFF add dword ptr [ecx*4+FFFE8485], ebx
0170B68B FF50 6A call dword ptr [eax+6A]
0170B68E 008D 85D8FEFF add byte ptr [ebp+FFFED885], cl
0170B694 FF50 68 call dword ptr [eax+68]
0170B697 C8 9F7001 enter 709F, 1
0170B69B 6A 00 push 0
0170B69D 6A 00 push 0
以上用彩虹脱壳脚本得到的OEP是错误的,密码也是错的。那个EAX解码的地方找不到在哪行。请高手们指教!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课